Establishing Model Risk Management
http://ccro.org © Copyright 2025, CCRO. All rights reserved. 16
4. Inventories should capture and track findings identification, backtesting results, issue
resolution, and model changes.
5. Traceability to model versions and residence should be included in inventory
documentation.
5.6. Data
Model performance is dependent on underlying data accuracy, integrity, and applicability.
Accordingly, an MRM program should define information requirements, master data strategy,
data quality and remediation efforts, data quality KPIs, data monitoring and validation, and
data aggregation. It is critical to understand the available data, processes for data traceability
and data lineage, and controls in place to maintain data integrity.
Recommendations
1. Establish originating data sources and authoritative data sources for data inputs.
2. Develop processes and support technology to ensure accuracy when data originates
from an unstructured source (e.g. document, flat file, etc.).
3. Create data lineage diagrams to steward the flow of critical data elements through
sources, models, spreadsheets, EUCs, systems, reports, and other outputs.
4. Procedures and systems should be developed to test the integrity of data mapping and
any stale, omitted, or egregious data outliers.
5. Employ Data Management Software, if applicable.
5.7. Vendor Models
Although companies may not have ideal insight into vendors’ model life cycle processes, they
should still apply model risk management principles to vendor models. Different vendors will
offer varying levels of insight, so the extent of risk management practices may differ by vendor
or model. At the very least, it is critical for companies to receive reasonable assurance that the
model works as intended, train users, calibrate assumptions and inputs to current conditions,
and comply with relevant IT controls.
Recommendations
1. Establish vendor due diligence process, including assessment of vendors’ reputation,
expertise, model life cycle capabilities, validation process, implementation plans,
operational stability, and long-term service viability.
2. Establish vendor model selection process, including assessment of model need,
functionality, fit-for-purpose, performance expectation, cost, data requirements,
hardware requirements, compatibility with existing IT systems, and contractual
requirements.
http://ccro.org © Copyright 2025, CCRO. All rights reserved. 16
4. Inventories should capture and track findings identification, backtesting results, issue
resolution, and model changes.
5. Traceability to model versions and residence should be included in inventory
documentation.
5.6. Data
Model performance is dependent on underlying data accuracy, integrity, and applicability.
Accordingly, an MRM program should define information requirements, master data strategy,
data quality and remediation efforts, data quality KPIs, data monitoring and validation, and
data aggregation. It is critical to understand the available data, processes for data traceability
and data lineage, and controls in place to maintain data integrity.
Recommendations
1. Establish originating data sources and authoritative data sources for data inputs.
2. Develop processes and support technology to ensure accuracy when data originates
from an unstructured source (e.g. document, flat file, etc.).
3. Create data lineage diagrams to steward the flow of critical data elements through
sources, models, spreadsheets, EUCs, systems, reports, and other outputs.
4. Procedures and systems should be developed to test the integrity of data mapping and
any stale, omitted, or egregious data outliers.
5. Employ Data Management Software, if applicable.
5.7. Vendor Models
Although companies may not have ideal insight into vendors’ model life cycle processes, they
should still apply model risk management principles to vendor models. Different vendors will
offer varying levels of insight, so the extent of risk management practices may differ by vendor
or model. At the very least, it is critical for companies to receive reasonable assurance that the
model works as intended, train users, calibrate assumptions and inputs to current conditions,
and comply with relevant IT controls.
Recommendations
1. Establish vendor due diligence process, including assessment of vendors’ reputation,
expertise, model life cycle capabilities, validation process, implementation plans,
operational stability, and long-term service viability.
2. Establish vendor model selection process, including assessment of model need,
functionality, fit-for-purpose, performance expectation, cost, data requirements,
hardware requirements, compatibility with existing IT systems, and contractual
requirements.
